CVE-2025-12085
📋 TL;DR
The ELEX WordPress HelpDesk plugin has an authorization vulnerability that allows authenticated users with Subscriber-level access or higher to permanently delete tickets from the trash. This affects all WordPress sites using the plugin up to version 3.3.1. Attackers can abuse this to disrupt customer support operations by removing tickets that might still be needed.
💻 Affected Systems
- ELEX WordPress HelpDesk & Customer Ticketing System
📦 What is this software?
Wsdesk by Elula
⚠️ Risk & Real-World Impact
Worst Case
Malicious subscriber empties all ticket trash, permanently deleting customer support tickets that might contain important information, evidence, or unresolved issues, causing operational disruption and potential data loss.
Likely Case
Low-privilege user or compromised account deletes tickets from trash, causing minor to moderate disruption to customer support workflows and potential loss of historical ticket data.
If Mitigated
With proper access controls and monitoring, impact is limited to temporary inconvenience as administrators can restore from backups if available.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once authenticated. The vulnerability is in an AJAX function that lacks proper capability checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3399391/elex-helpdesk-customer-support-ticket-system/trunk/includes/class-crm-ajax-functions-two.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'ELEX HelpDesk & Customer Support Ticket System'. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.3.2+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Remove Subscriber Access
allTemporarily remove Subscriber role from all users or restrict plugin access to higher roles only.
Disable Plugin
linuxDeactivate the ELEX HelpDesk plugin until patched.
wp plugin deactivate elex-helpdesk-customer-support-ticket-system
🧯 If You Can't Patch
- Implement strict access controls limiting plugin functions to Administrator and Editor roles only.
- Enable comprehensive logging and monitoring of ticket deletion activities and set up alerts for suspicious trash emptying.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for ELEX HelpDesk version. If version is 3.3.1 or lower, you are vulnerable.Check Version:
wp plugin get elex-helpdesk-customer-support-ticket-system --field=versionVerify Fix Applied:
After updating, verify plugin version shows 3.3.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=eh_crm_settings_empty_trash from non-admin users
- Sudden decrease in trashed ticket counts
Network Indicators:
- AJAX calls to empty_trash function from low-privilege user accounts
SIEM Query:
source="wordpress.log" AND "eh_crm_settings_empty_trash" AND (user_role="subscriber" OR user_role="contributor")